Windows Privilege Escalation
Prerequisites & Requirements
to follow along with the tools and techniques utilized in this document, you will need to use one of the following offensive Linux distributions:
- Kali Linux
- Parrot OS
The privilege escalation techniques used in this book were tested in the following versions of Windows:
- Windows 7
- Windows 10
The following is a list of recommended technical prerequisites that you will need to get the most out of this course:
Familiarity with Linux system administration.
Familiarity with Windows.
Functional knowledge of TCP/IP.
Familiarity with penetration testing concepts and life-cycle.
Note: The techniques and tools utilized in this document were performed on Kali Linux 2021.2 Virtual Machine
MITRE ATT&CK Privilege Escalation Techniques
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:
SYSTEM/root level
local administrator
A user account with admin-like access
user accounts with access to a specific system or performs a specific function
The following is a list of key techniques and sub-techniques that we will be exploring:
UAC Bypass
Token Impersonation
Kernel Exploits
Scenario
Our objective is to elevate our privileges on Windows target systems by leveraging various privilege escalation techniques.
Bypassing UAC
We can bypass UAC mechanisms to elevate process privileges on the target system. The Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation.
Metasploit has various UAC privilege escalation modules that we can utilize to elevate our privileges.
The following procedures outline the process of elevating privileges by bypassing UAC on a Windows 10 system:
We can now search for UAC modules by running the following command:
in the following screenshot, we will be utilizing the “bypassuac_injection_winsxs” module as it is the only module that works on Windows 10 systems.
We can now load the bypass UAC module by running the following command:
After loading the module, we will need to configure the module options, this can be done by running the following commands:
After configuring the module options, we can now execute the module by running the following command:
If successful, the module will send the meterpreter stage to the target and you should receive an elevated meterpreter session as shown in the following screenshot.
We can confirm that we have an elevated session by listing out the Windows privileges for our current user, this can be done by running the following command in meterpreter:
As shown in the preceding screenshot, this meterpreter session has administrative privileges and we can migrate to an NT AUTHORITY/SYSTEM process.
Windows Kernel Exploits
We can exploit vulnerabilities in the Windows NT kernel in an attempt to elevate our privileges. The exploitation of a vulnerability in the Windows kernel occurs when an adversary takes advantage of a programming error in the kernel to execute adversary-controlled code.
We can begin the kernel exploitation process by taking a look at how to identify and transfer kernel exploits onto our target system. For this section, our target system will be running Windows 7. As a prerequisite, ensure that you have gained your initial foothold on the system and have a meterpreter session:
The first step is to scan and identify potential kernel vulnerabilities. This can be done through the use of the Windows-Exploit-Suggester tool.
The Windows-Exploit-Suggester script can be downloaded from this link: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
In order to use the Windows-Exploit-Suggester tool, you will need to run the following commands:
The preceding command will download the vulnerability database and save it as a .xlsx file. We will be utilizing this vulnerability database to identify vulnerabilities on the target system.
The next step will involve enumerating the target operating system information and configuration, this can be done by running the following command in a Windows command shell:
We will need to copy this information and paste it into a file called “systeminfo.txt”. We will be using this file to identify Kernel exploits with the Windows-Exploit-Suggester.
We can now utilize the Windows-Exploit-Suggester to identify vulnerabilities for our target system, this can be done by running the following command on Kali:
As shown in the following screenshot, Windows-Exploit-Suggester will display a list of vulnerabilities that we can exploit on the target system in order to elevate our privileges.
It is always recommended to use the first exploit recommended by the Windows-Exploit-Suggester. In this case, we will start off with the MS16-135 kernel exploit. We will need to determine more information about the exploit and how it should be used. This can be done by performing a quick Google search as highlighted in the following screenshot:
The Google search reveals a GitHub repository that contains information regarding the exploit, the exploit source code, and how it should be used.
It is always recommended to analyze the source code to ensure that it is not malicious and works as intended to make any additional modifications required. In this case, we will be using the prebuilt exploit as shown in the following screenshot.
After downloading the pre-built exploit executable, we will need to transfer it over to the target system.
We can now transfer the exploit executable to the target system, this can be done by starting a local web server on the Kali VM with the SimpleHTTPServer Python module:
In order to transfer the exploit executable onto the target system, we can utilize the certutil utility. This can be done by running the following command on the target system:
We can now run the exploit executable by running the following command on the target system:
After running the exploit with the operating system specified, it will take a few seconds to complete, after which we should have an elevated shell with NT AUTHORITY/SYSTEM privileges as shown in the following screenshot.
